E.2.2. Changes

An unprivileged user of dblink
or postgres_fdw could bypass the checks intended
to prevent use of server-side credentials, such as
a ~/.pgpass file owned by the operating-system
user running the server. Servers allowing peer authentication on
local connections are particularly vulnerable. Other attacks such
as SQL injection into a postgres_fdw session
are also possible.
Attacking postgres_fdw in this way requires the
ability to create a foreign server object with selected connection
parameters, but any user with access to dblink
could exploit the problem.
In general, an attacker with the ability to select the connection
parameters for a libpq-using application
could cause mischief, though other plausible attack scenarios are
harder to think of.
Our thanks to Andrew Krasichkov for reporting this issue.
(CVE-2018-10915)

Fix INSERT ... ON CONFLICT UPDATE through a view
that isn't just SELECT * FROM ...
(Dean Rasheed, Amit Langote)

Erroneous expansion of an updatable view could lead to crashes
or “attribute ... has the wrong type” errors, if the
view's SELECT list doesn't match one-to-one with
the underlying table's columns.
Furthermore, this bug could be leveraged to allow updates of columns
that an attacking user lacks UPDATE privilege for,
if that user has INSERT and UPDATE
privileges for some other column(s) of the table.
Any user could also use it for disclosure of server memory.
(CVE-2018-10925)

Ensure that updates to the relfrozenxid
and relminmxid values
for “nailed” system catalogs are processed in a timely
fashion (Andres Freund)

Overoptimistic caching rules could prevent these updates from being
seen by other sessions, leading to spurious errors and/or data
corruption. The problem was significantly worse for shared catalogs,
such as pg_authid, because the stale cache
data could persist into new sessions as well as existing ones.

Fix SHOW ALL to show all settings to roles that are
members of pg_read_all_settings, and also allow
such roles to see source filename and line number in
the pg_settings view (Laurenz Albe,
Álvaro Herrera)

Under rare circumstances, this oversight could result in “could
not generate random cancel key” failures that could only be
resolved by restarting the postmaster.

Fix libpq's handling of some cases
where hostaddr is specified
(Hari Babu, Tom Lane, Robert Haas)

PQhost() gave misleading or incorrect results
in some cases. Now, it uniformly returns the host name if specified,
or the host address if only that is specified, or the default host
name (typically /tmp
or localhost) if both parameters are omitted.

Also, the wrong value might be compared to the server name when
verifying an SSL certificate.

Also, the wrong value might be compared to the host name field in
~/.pgpass. Now, that field is compared to the
host name if specified, or the host address if only that is specified,
or localhost if both parameters are omitted.

Also, an incorrect error message was reported for an unparseable
hostaddr value.

Also, when the host, hostaddr,
or port parameters contain comma-separated
lists, libpq is now more careful to treat
empty elements of a list as selecting the default behavior.

Add a string freeing function
to ecpg's pgtypes
library, so that cross-module memory management problems can be
avoided on Windows (Takayuki Tsunakawa)

On Windows, crashes can ensue if the free call
for a given chunk of memory is not made from the same DLL
that malloc'ed the memory.
The pgtypes library sometimes returns strings
that it expects the caller to free, making it impossible to follow
this rule. Add a PGTYPESchar_free() function
that just wraps free, allowing applications
to follow this rule.

Fix ecpg's support for long
long variables on Windows, as well as other platforms that
declare strtoll/strtoull
nonstandardly or not at all (Dang Minh Huong, Tom Lane)

Fix misidentification of SQL statement type in PL/pgSQL, when a rule
change causes a change in the semantics of a statement intra-session
(Tom Lane)

This error led to assertion failures, or in rare cases, failure to
enforce the INTO STRICT option as expected.

Fix password prompting in client programs so that echo is properly
disabled on Windows when stdin is not the
terminal (Matthew Stickney)

Further fix mis-quoting of values for list-valued GUC variables in
dumps (Tom Lane)

The previous fix for quoting of search_path and
other list-valued variables in pg_dump
output turned out to misbehave for empty-string list elements, and it
risked truncation of long file paths.

Rearrange makefiles to ensure that programs link to freshly-built
libraries (such as libpq.so) rather than ones
that might exist in the system library directories (Tom Lane)

This avoids problems when building on platforms that supply old copies
of PostgreSQL libraries.

Update time zone data files to tzdata
release 2018e for DST law changes in North Korea, plus historical
corrections for Czechoslovakia.

This update includes a redefinition of “daylight savings”
in Ireland, as well as for some past years in Namibia and
Czechoslovakia. In those jurisdictions, legally standard time is
observed in summer, and daylight savings time in winter, so that the
daylight savings offset is one hour behind standard time not one hour
ahead. This does not affect either the actual UTC offset or the
timezone abbreviations in use; the only known effect is that
the is_dst column in
the pg_timezone_names view will now be true
in winter and false in summer in these cases.